1

I have an application that needs to make HTTP requests to a remote server. The connection should be secure using TLS. Due to external specification the application must validate the presented server certificate using OCSP.

As the application is hard to change we I would like to offload the TLS handling completely to a reverse proxy, preferrably NGINX or Apache. Meaning, the application talks to the proxy in plain text and the proxy then forwards requests to the upstream server.

I found the proxy_ssl_crl config for NGINX and the SSLProxyCARevocationFile directive for Apache, which seam to do additional validation on the server certificate. However, I found no option to make either of them use OCSP to validate the upstream server certificate.

How could that be achieved? If not with NGINX or Apache, what would be a working alternative?

2
  • Why not try a forward proxy?
    – AlexD
    Commented Jan 31 at 16:34
  • In principle I would be open to that. However, since I only need to proxy a single upstream server, I thought it was easier using a reverse proxy. Moreover, I'd like the proxy to be transparent, avoiding defining the proxy explicitly in the application.
    – Rosso
    Commented Jan 31 at 17:14

2 Answers 2

0

If I understood it correctly, you cant to verify the certificate by OCSP, which might not be enabled by default on NGINX but could be changed to this behavior. Regarding the Original NGINX Documentation.

  • Enables verification of client certificates. The verification result is stored in the $ssl_client_verify variable. (ON/off)
ssl_verify_client on;   
  • Enables OCSP validation of the client certificate chain. The leaf parameter enables validation of the client certificate only. (on/off/leaf)
ssl_ocsp on;
  • Force Using a specific DNS-Resolver
resolver 192.168.2.1;
  • Overrides the URL of the OCSP responder specified in the “Authority Information Access” certificate extension for validation of client certificates. I.e., if you run your own OCSP Distribution Site, or need to use a specific one.
ssl_ocsp_responder http://ocsp.example.org;

Additionally & other

  • Enables or disables verification of OCSP responses by the server.
ssl_stapling_verify on 

Since it's unclear which side should be verified, I'm going for a more general approach.

Remember, that as i read correctly, all configration-Parameters can be added into the Server section that affects all sub locations, so you will need only to configure it once for this.

A Generic Configuration could look like this example

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /path/to/your/certificate.pem;
    ssl_certificate_key /path/to/your/private-key.pem;

    ssl_ocsp on;
    ssl_verify_client on;
    resolver 192.168.2.1;

    location / {
        proxy_pass http://your_upstream_server;
    }
}

If you need to use a specific Certificate for verification i would suggest (taken from serverfault

    # Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.
    # The list of certificates will be sent to clients. If this is not desired, the ssl_trusted_certificate directive can be used. 
    ssl_client_certificate /etc/nginx/client_certs/ca.crt;
    ssl_verify_client on;
    ssl_stapling on; #Yes this has to be configured to use OCSP
    resolver 192.0.2.1;

which would lead to this example configuration:

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /path/to/your/certificate.pem;
    ssl_certificate_key /path/to/your/private-key.pem;

    ssl_ocsp on;
    ssl_verify_client on;
    ssl_client_certificate /etc/nginx/client_certs/ca.crt;
    ssl_stapling on; #Yes this has to be configured to use OCSP
    resolver 192.0.2.1;

    location / {
        proxy_pass http://your_upstream_server;
    }
}

I hope i could help you with both ways.

p.I would greatly appreciate it if someone could edit this response to produce a more fluent and pleasant-sounding response. I am not particularly proficient in writing English.

1
  • Thank you for your elaborate response. I want to verify the certificate of the proxied server: proxy_pass https://upstream_server; Which seems not to be possible, at least according to the documentation of the dicretives you mentioned. ssl_stapling enables ocsp validation of nginx own certificate presented to the client not the upstream. ssl_ocsp enables ocsp validation of the client certificate presented to nginx. I am missing a configuration option that enables ocsp validation for the upstream server certificate
    – Rosso
    Commented Feb 7 at 15:45
-1

For NGINX, you can use the ssl_stapling and ssl_stapling_verify directives

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /path/to/your/certificate.pem;
    ssl_certificate_key /path/to/your/private-key.pem;

    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8;  # Use a DNS resolver that supports DNS over TLS (DoT)

    location / {
        proxy_pass http://your_upstream_server;
    }
}

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling

1
  • He's asking for reverse proxy that accepts clear text requests before forwarding them to remote. The question isn't about having the server do OCSP, but the proxy to verify OCSP.
    – vidarlo
    Commented Jan 31 at 15:55

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .